Hi,
I found this project quite promising, but I would like to configure
dnssec_keydir and storage per zone .
Now all keys and db files are in one directory, that is probably OK if
you have couple of zones, also if they are very big, but we have
configured about 48k zones(this can be configured to tree and separated
by includes), which means at start 48.000 db files and 48.000x4 =
192.000 DNSSEC key files(later when rotating keys it can be even more).
It is probably acceptable when accessing db files, because I did not
found any directory crawling here, but only from performance point of
view, not from administrator's (backups/listing/quick fixes etc).
I thing problem is in dnssec_keydir, becouse of way how keys are
filtered(libknot/dnssec/zone-keys.c method knot_load_zone_keys) by name
and included or removed from zone.
Also as I understand updating(insert/delete inodes) large directories
can harm performance of updating a lot. I think It will often block
listing of files for key searching, slowdown parallel writing to
directories etc. Also crawling large array for few keys for zone(192k
lines for 4 files).
Compare:
one dnssec_keydir /data:
list whole directory 192k for find 4 lines
per zone dnssec_keydir /data/e/ex/exa/exam/example.com/K* (this
structure is example and can be configurable by dnssec_keydir variable
in zone, think of it as emulating some sort of binary tree):
6 x access to sub directory+ list only one directory for 4 lines (max
6-8 when rotating)
I attached patch, which I believe solve this with little performance
penalty and little more memory usage(only for those which want tree
structure for example).
About structure it should not be created on demand, but precreated by
administrator/script . I believe it can save lots of time and disk io.
At the end I may be totally wrong, I did not made any tests yet.
Kamil
--
Kamil Sopko
Dodavatel technické podpory
pro
savana.cz s.r.o.
Lounská 983/43, 405 02 Děčín VI-Letná
Telefon: +420 478 472 100
Provozní doba: PO-PÁ 8-118 hod a SO-NE 9-12 hod
Web: www.savana.cz
Hi,
without DNS UPDATE OpenDNSSEC can be configured to read an unsigned zone
file, sign it and reload the zone [1]. With DNS UPDATE it gets more
complicated. It seems that you have to run a hidden primary that
receives that updates and transfers the unsigned zones to OpenDNSSEC
which in turn transfers the zones to a slave server. There are some
alternatives if you manipulate zone files with custom scripts.
While a hidden primary may be acceptable and zone transfers are probably
the most reliable solution, it is an overkill for my use case and adds
to much complexity. I could use Knot DNS to sign the zones, but it
doesn't automate KSK rollovers and I need to execute a custom binary to
update the keys at the registrar which is also not supported. Perhaps
Knot DNS could remove all DNSSEC RRs before it transfers the zone to
OpenDNSSEC, but it's kind of a hack and I'm not sure if this a good idea.
OpenDNSSEC also delayed support for dynamic updates to 2.x, which means
2014 and or later. So this is not an option.
Does anyone have suggestions to solve this problem?
Regards,
Matthias-Christian
[1] http://www.bortzmeyer.org/opendnssec-nsd.html
Hi,
I am new on this list, and have just installed and start using Knot for
the first time on freeBSD:
#uname -r
10.0-BETA1
Look pretty nice and light. very close to Bind/Unix daemon configuration
styles.
After I have started the daemon,
#knotd -d
and check his status:
#knotc status
OK
and check the version:
#knotd -V
Knot DNS, version 1.3.2
I tried to hide the version as above:
#
# This is a sample of a minimal configuration file for Knot DNS.
#
# For exhaustive list of all options see samples/knot.full.conf
# in the source directory or refer to user manual.
#
system {
# Identity of the server (see RFC 4892).
##identity on;
##
version "My First Knot Config..";
# Version of the server (see RFC 4892)
version on;
# User for running server
# May also specify user.group (e.g. knot.knot)
user root.knot;
# This is a default directory to place slave zone files, journals etc.
# default: ${localstatedir}/lib/knot, configured with --with-storage
# storage "/usr/local/var/lib/knot";
# Directory for storing run-time data
# e.g. PID file and control sockets
# default: ${localstatedir}/run/knot, configured with --with-rundir
# rundir "/usr/local/var/run/knot";
}
interfaces {
all_ipv4 {
address 0.0.0.0;
port 53;
}
all_ipv6 {
address [::];
port 53;
}
}
control {
# Default: knot.sock (relative to rundir)
listen-on "knot.sock";
# As an alternative, you can use an IPv4/v6 address and port
# Same syntax as for 'interfaces' items
# listen-on { address 127.0.0.1@5533; }
# Specifies ACL list for remote control
# Same syntax as for ACLs in zones
# List of remotes or groups delimited by comma
# Notice: keep in mind that ACLs bear no effect with UNIX sockets
# allow server0, admins;
}
#remotes {
# master0 {
# address 198.51.100.1@53;
# }
# slave0 {
# address 203.0.113.1@53;
# }
#}
zones {
# Example master zone
# example.com {
# file "/usr/local/etc/knot/example.com.zone";
# xfr-out slave0;
# notify-out slave0;
# }
#
# Example slave zone
# example.net {
# file "/usr/local/var/lib/knot/example.net.zone
# xfr-in master0;
# notify-in master0;
# }
}
log {
syslog {
# log errors of any category
any error; # for <category> and <severity> see above
# log also warnings and notices from category 'zone'
zone warning, notice;
# log info from server
server info;
}
# Log fatal, warnings and errors to stderr
stderr {
any error, warning;
}
After I have reloaded the daemon with:
#knotc reload
OK
The version remain the same.
Another question is, when I tried to run the command knotd -c knot.conf,
I received errors as above:
root@chris:/usr/local/etc/knot # knotd -c knot.conf
2013-10-25T19:46:00 Reading configuration
'/usr/local/etc/knot/knot.conf' ...
2013-10-25T19:46:00 [error] Cannot bind to socket (errno 48).
2013-10-25T19:46:00 [error] Could not bind to UDP interface 0.0.0.0 port 53.
2013-10-25T19:46:00 [error] Cannot bind to socket (errno 48).
2013-10-25T19:46:00 [error] Could not bind to UDP interface :: port 53.
2013-10-25T19:46:00 [warning] Server started, but no zones served.
and the errors makes me to pkill knot the process and start the daemon
again.
I my doing wrong?
Sorry for the configuration statements in the mail.
--
Kind Regards
Eric Kom
Senior IT Manager - Metropolitan Schools
_________________________________________
/ You are scrupulously honest, frank, and \
| straightforward. Therefore you have few |
\ friends. /
-----------------------------------------
\
\
.--.
|o_o |
|:_/ |
// \ \
(| Kom | )
/'\_ _/`\
\___)=(___/
2 Hennie Van Till, White River, 1240
Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334
erickom(a)kom.za.net | erickom(a)metropolitancollege.co.za
www.kom.za.net | www.kom.za.org | www.erickom.co.za
Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5
